With the rapid technological advancement and the surging volumes of data processing, taking a cohesive and comprehensive approach to personal data protection has never been more dire than it is now. To ensure no personal data is breached while collecting, processing, or sharing personal data of individuals, almost all countries mandate organisations holding that data to comply with some regulations. The USA, despite being one of the most developed countries and generating 402.74 million terabytes of data daily, doesn’t have any comprehensive federal data protection law. The country’s personal data protection is based on federal and state laws. Currently, three states in the US have three different consumer privacy laws: California Consumer Privacy Act (CCPA and its amendment, CPRA), Virginia Consumer Data Protection Act (VCDPA), and Colorado Privacy Act (ColoPA). Regardless of the location of an organisation, the rights the laws offer apply only to people dwelling in these states.
In this article, we will focus on the Virginia Consumer Data Protection Act (VCDPA).
What is the Virginia Consumer Data Protection Act
The VCDPA is a state-level data privacy regulation that offers Virginia residents certain rights for personal data collected and processed by organisations. The state signed the Act into law on March 2, 2021, and enforced it on January 1, 2023, on the same day CPRA came into effect. VCDPA applies from that date forward and does not apply retroactively. Virginia data privacy protection act is the second state-level data privacy regulation to be enacted after CPRA.
Who Does VCDPA Apply To
VCDPA has an impact on all for-profit businesses in Virginia that cater products or services to the residents of the Commonwealth of Virginia if:
(1) they control or process the personal data of a minimum of 100,000 residents of the Commonwealth of Virginia or
(2) 50% of their total annual revenue comes from sale of personal data (there is no mention if this threshold revenue should be derived from selling data of the Virginians) besides handling and processing personal data of at least 25,000 residents of the Commonwealth of Virginia.
VCDPA applies extraterrestially, meaning that companies don’t need to be headquartered in Virginia to be subject to the law. Any business inside or outside the state must comply with VCDPA standards and consumer privacy protection rights provided they deal with the personal data of the residents of the state in a way that falls under the scope of the regulation.
That said, non-profit organisations, government authorities within the Commonwealth of Virginia, health financial entities (regulated by the Gramm-Leach-Bliley Act), healthcare providers (regulated by HIIPA), and institutions for higher education are exempted from the law.
VCDPA Consumer Rights
VCDPA empowers consumers with the following rights:
Right to Access
VCDPA empowers consumers with the right to know if their personal data is being processed by a company and requests accessibility of personal data. They hold the right to inquire about the process involved, which may include information about data processors.
Right to Rectification
If any inaccuracy or inconsistency in their personal data is found, consumers hold the right to rectify it.
Right to Delete
Consumers are entitled to request deletion of their personal data. VCDPA mandates data controllers to delete it from their records upon an authenticated request.
Right to Object to Data Processing
Consumers can, at any time, opt out of allowing processing of their personal data for sale, profiling, or targeted advertising “in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.”
Right to Data Portability
According to VCDPA, consumers can ask data controllers for a copy of their personal data being processed in a portable and functional format, especially if it involves automated processing.
Consumers can contact the office of Virginia Attorney General to lodge complaint against tan alleged company for any violation of the regulations in VCDPA. The Attorney General’s office is responsible for overseeing complaints, and investigating and imposing penalties.
Obligations for Controllers
VCDPA imposes more stringent obligations on data controllers (a business, or individual that specifies how, when, or why consumer data is processed) than on data processors (an entity, or individual processing data on the half of a controller). According to VCDPA, data controllers have the following obligations:
- Limits on Collection and Use of Data: Controllers are obligated to limit data collection to what is relevant, required, and adequate for the defined purpose. That said, VCDPA restricts them from involving of processing of personal data that doesn’t comply with the purpose disclosed to the data subject or is unnecessary. Such processing is subject to the consent of the data subject.
- Reasonable Physical Data Security Practices: The legislation mandates controllers to implement and practice stringent data security practices to protect consumer data. Proper security measures should be implemented at technical and organisational – to ensure no consumer data can be breached and its integrity, confidentiality, and accessibility are always upheld. It ensures safe processing of sensitive data.
- Consent for Processing Sensitive Data: Before processing any personal data, consumers are obligated to obtain consent from the data owners. According to VCDPA, “Consent means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. Consent may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.”
- Data Processing Agreements (DPAs): Data controllers must ink a DPA with the processors handling data processing activities on their behalf. DPAs should clearly define the purpose of the processing, the nature of the personal data processed, processing instructions, and the obligations of both parties.
- Privacy Notice: Consumers should be provided with clearly and thoroughly defined privacy notice detailing (i) the categories of personal data being processed; (ii) the purpose of the processing; (iii) the rights consumers hold, and the way to exercise them, and taking inaction against a decision by the data controller; (iv) the categories of personal data shared with third-parties and their details (if applicable).
- Notice of Sale: Controllers that sell consumer personal data or process personal data for targeted advertising should mention it in the privacy notice. Even though controllers have to offer a manner to exercise consumers’ opt-out rights, there is no mention of a specific way in this regard in the legislation.
- Consumer Request Process: Setting up a couple of means for consumers to submit requests is an obligation on controllers. Even though VCDPA doesn’t define the way consumers can submit their requests, it suggests they should be allowed to do so using the channels they usually use to interact with the controller.
- Data Protection Assessment: You need to conduct and document a data protection assessment. Documenting critical data processing activities, such as data processing for selling, profiling, or targeted advertising, is an obligation of data controllers. The DPA should also include any processing activities that can pose a high risk to consumer privacy.
Best Practices to Comply with VCDPA
For any business that falls under the scope of VCDPA, complying with the legislation is critical. As a controller, you have to meet the obligations defined above. Check out the list we have rounded up here to meet compliance effortlessly, avoiding non-compliance issues:
- First off, determine if your business falls under the scope of VCDPA. If you are a for-profit business, check out the criteria and determine.
- Keep your consumers well-informed about their data collection, the type of data being collected, the purpose of processing, and their privacy rights by creating a comprehensive privacy policy. Ensure the privacy and user rights options, such as consumer consent, opt-out, etc., are readily available and accessible via pop-up or website banner.
- Review your Privacy Policy and update it annually. It’s a must if you deal with sensitive data or data related to minors. Keep your Privacy Policy easily accessible on your official website, if possible, through a Consent Management Platform (CMP).
- Allow consumers to opt out of sensitive data collection easily. Also, make sure you save their preferences. For minors – 13 years old or younger – ask for consent from any of the parents or a legal guardian before data collection.
- Make DSAR submission effortless for consumers. Provide them with feasible contact media – email, web form, toll-free contact number, etc. Also, ensure you track all DSAR requests and keep a record for at least two years. Setting up a system is always recommended to facilitate DSAR submission and verification.
Non-Compliance Fines
Companies are mandated to meet the obligations detailed above. Any violation is considered an act of non-compliance, causing companies to face penalties and fines that can reach up to $2,500 per violation and $7,500 for intentional violations. In VCDPA, each consumer is equivalent to one incident. For a company breaching the rights of 1000 consumers, it can face a fine of up to $7,500,000.
- Real-Time Fracture Monitoring: Using Fiber Optic DAS to Improve Stimulation Efficiency - January 30, 2026
- Smart Factory Production Networks: Connected Manufacturing Today - November 22, 2025
- IVR Testing Best Practices for Enhanced Voice Automation Quality - October 19, 2025